Bug#722906: New users can't verify downloads correctly
Control: severity -1 wishlist
Control: retitle -1 Document additional methods for validating Debian-distributed files
On Sat, 14 Sep 2013, Eduard - Gabriel Munteanu wrote:
> Furthermore, http://www.debian.org/CD/verify encourages insecure ways
> of checking fingerprints, which are posted on a plain HTTP page.
> There's also no mention of ftp-master and how to use the archive keys
> to establish a chain of trust.
To ensure that the checksums files themselves are correct, use GnuPG
to verify them against the accompanying signature files (e.g.
MD5SSUMS.sign). The keys used for these signatures are all in the
Debian GPG keyring and the best way to check them is to use that
keyring to validate via the web of trust. To make life easier for
users, here are the fingerprints for the keys that have been used
for releases in recent years (with some UIDs removed for clarity):
> It would be fair to expect a large proportion of users cannot or will
> not be able to establish such a web of trust, especially if they're new
Anyone capable of pulling off a MITM attack against an http site will be
capable of pulling off an attack against an https site too. Even if
the site were to be served via https, which is unlikely, due to the fact
that www.debian.org is mirrored, you still would have the same set of
problems, and users who were concerned about the authenticity of the
pages that they were viewing and the images that they were downloading
would still have to verify the key IDs via the web of trust.
1: Unless you're proposing that people check the authenticity of the SSL
certificates too against a known set of fingerprints, which brings you
right back to the same bootstrapping problem.
Don Armstrong http://www.donarmstrong.com
When I was a kid I used to pray every night for a new bicycle. Then I
realized that the Lord doesn't work that way so I stole one and asked
Him to forgive me.
-- Emo Philips.